publicvoidcheckServerTrusted(X509Certificate[]chain,StringauthType)throwsCertificateException{if(cache.contains(chain[0])){return;}// Note: We do this so that we'll never be doing worse than the default// system validation. It's duplicate work, however, and can be factored// out if we make the verification below more complete.checkSystemTrust(chain,authType);checkPinTrust(chain);cache.add(chain[0]);}

知道锁定方法就可以hook解锁了,注入SSLContext的init方法替换信任所有证书的TrustManger

// Get a handle on the init() on the SSLContext classvarSSLContext_init=SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');// Override the init method, specifying our new TrustManagerSSLContext_init.implementation=function(keyManager,trustManager,secureRandom){quiet_send('Overriding SSLContext.init() with the custom TrustManager');SSLContext_init.call(this,null,TrustManagers,null);};

setTimeout(function(){Java.perform(function(){//okttp3.x unpinningtry{varCertificatePinner=Java.use("okhttp3.CertificatePinner");CertificatePinner.check.overload('java.lang.String','[Ljava.security.cert.Certificate;').implementation=function(p0,p1){// do nothingconsole.log("Called! [Certificate]");return;};CertificatePinner.check.overload('java.lang.String','java.util.List').implementation=function(p0,p1){// do nothingconsole.log("Called! [List]");return;};}catch(e){console.log("okhttp3 not found");}//okhttp unpinningtry{varOkHttpClient=Java.use("com.squareup.okhttp.OkHttpClient");OkHttpClient.setCertificatePinner.implementation=function(certificatePinner){// do nothingconsole.log("Called!");returnthis;};// Invalidate the certificate pinnet checks (if "setCertificatePinner" was called before the previous invalidation)varCertificatePinner=Java.use("com.squareup.okhttp.CertificatePinner");CertificatePinner.check.overload('java.lang.String','[Ljava.security.cert.Certificate;').implementation=function(p0,p1){// do nothingconsole.log("Called! [Certificate]");return;};CertificatePinner.check.overload('java.lang.String','java.util.List').implementation=function(p0,p1){// do nothingconsole.log("Called! [List]");return;};}catch(e){console.log("okhttp not found");}});},0);